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Note 

These lecture notes are based on hand written notes by Dr. Tim Brown- 
ing, who gave this course in 2004 and 2005. These notes were originally type- 
set by Andrew Caldwell who attended the lectures in 2007 and were subse- 
quently amended by Professor Roger Heath-Brown. They have since been fur- 
ther checked and amended by me. While I take full responsibility for the present 
version (corrections and comments welcome), considerable thanks are clearly 
due to Tim Browning, Andrew Caldwell, and Roger Heath-Brown. 

These notes are intended to complement rather than replace lectures (for 
instance, the diligent student should read at least one or two lectures ahead). 
Indeed, there may well be differences between these notes and what I write in 
lectures. Finally, I would encourage all students to consult the recommended 
texts, as they contain many more details and examples, and had much more 
time and effort put in to them, than these notes. 

1 The Integers 

We begin with a quick run through of material that has previously been covered 
in other courses. 

Definition. In this course, N := {1, 2, 3, . . .} (i.e. zero is not included). 
Remark. (Z, +, x) is a commutative ring with 1. 

Definition. Given a, b e Z with b ^ 0, we say that b divides a (and we write 
b\a) if and only if there exists c € Z such that a = be. 

Theorem 1.1 (The Division Algorithm). Given a e Z, b e N, there exist 
unique integers q and r satisfying a = bq + r and < r < b. 

Proof. Mods. □ 

Definition. Let a, b € Z, not both zero. The highest common factor of a and 
b, written (a, b), is defined to be the largest n € N such that n\a and n\b. If 
(a, b) = 1 then a and b are said to be coprime. 
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Remark. Note that this is not the definition of highest common factor used in 
rings in general, but can be shown to be equivalent to the general definition in 
the case of the ring Z. 

Theorem 1.2 (Euclid's Algorithm). Let r = a, n = b be positive integers with 
a > b > and apply the division algorithm successively to get rj = rj + iqj + i + 
rj+2 with < rj +2 < rj +1 for < j < n — 2 and r n+ \ = 0. Then the last 
non-zero remainder r n is equal to (a,b). 

Proof. Mods. □ 

Lemma 1.3. Let a,b gZ, not both zero. Then there exist u, v G Z such that 
au + bv = (a, b). 

Proof. Mods — Work backwards through Euclid's algorithm. □ 

Example. Work out the highest common factor of 841 and 160 and express it 
as a linear combination of 841 and 160: 

841 = 160 x 5 + 41 
160 = 41 x 3 + 37 

41 = 37x1 + 4 

37 = 4x9 + 1 
4 = 1x4 + 0. 

Hence (841, 160) = 1 (i.e. they are coprime) and working backwards gives: 

1 = 37 x 1 - 4 x 9 

= 37 x 1 - (41 - 37) x 9 

= 37 x 10 - 41 x 9 

= (160-3 x 41) x 10-41 x 9 

= 160x10-41x39 

= 160 x 10 - (841 - 160 x 5) x 39 

= -39 x 841 + 205 x 160. 

Note that such a solution is not unique. For example, we will also have 

1 = (160 - 39) x 841 + (205 - 841) x 160 = 121 x 841 - 636 x 160. 

Lemma 1.4. Leth = (a,b). Then m\a and m\b if and only if m\h. 

Proof. (<=) Suppose m\h. By definition of h, h\a. Hence m\a. Similarly, m\b. 

(=>) Assuming m\a and m\b, we see that a — ma' and b — mb', say. Now, 
by Lemma 1.3, there exist u,v e Z such that au + bv = h and hence h = 
m(a'u + b'v). Therefore m\h. □ 

Lemma 1.5. Let a,b eZ, not both zero. 
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(i) If{a,b) = dthen{%±) = l. 

(ii) If c G Z then (a + cb, b) = (a, b). 

Proof. (i) Suppose eefj such that e|| and e||. Then there exist m, n e Z 
with § = em, | = en. Hence a = edm and 6 = edn, so that ed divides 
a and ft However, d is the largest such integer, whence ed < d. Thus we 
can only have e = 1. 

(ii) Suppose (a + be, b) = e. Then e\(a + be) and e\b. However, e\b => e\bc and 
e|(a + be), e\bc => e|a. Thus e|a and e\b and hence (a, 6) > e. Conversely, 
if (a, 6) = /, then f\a and f\b, whence f\bc. It follows that f\(a + be), and 
since f\b we must have / < (a + be, b) — e. Hence both / > e and e > /, 
so that e = f. 

□ 

Lemma 1.6. Let a,b,c£Z with a,b both non-zero. 

(i) The equation ax + by = c is soluble with x, y £ Z, if and only if (a, b)\c. 

(ii) If (a,c) = 1, then c\ab if and only if c\b. 

Proof. (i) (=>) By Lemma 1.4, (a, b)\a and (a, b)\b, so that if c = ax + by then 
c is also a multiple of (a, 6). (<*=) Suppose (a, 6)|c and write c = (a,b)q. 
Then there exist such that (a, 6) = ax + fey, by Lemma 1.3. Hence 

c = q(a, b) = qxa + qyb, which gives a suitable solution. 

(ii) c\b c\ab is obvious. Suppose that (a,c) — 1 and c\ab. Then by Lemma 
1.3, there exist x, y e Z such that 1 = ax+cy, whence b = bx 1 = abx+cby. 
Now c|a6 and c|c6, so c|6. 

□ 

Definition. Prime and composite numbers in N: 

(i) A number p € N with p > 2 is prime if and only if its only divisors are 1 
and p. 

(ii) A number neN with n > 2 is composite if and only if it is not prime. 
Note that n = 1 is neither prime nor composite. 

Remark. Suppose p is prime and p\ab. Let h = (p, a). Then h\p so that /i = 1 
or h = p. If ft = 1 then, by Lemma 1.6, p\b. If h = p then p = h\a (since 
ft = (a, 6)). Hence p|o or p|6. For rings in general, the property that p\ab => p\a 
or p\b is taken as the defining property for primes. 

Theorem 1.7 (The Fundamental Theorem of Arithmetic). Each n e N can 
&e expressed as a product of prime power factors in exactly one way, up to the 
ordering of the factors. 
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Proof. Given in the Part A Algebra course. However, here is a sketch. 

Existence of factorisations can be shown by induction on n. The case n = 1 
is the empty product of primes. In general, if 1, . . . , (n — 1) are products of 
primes, then either n is prime or n — ab with 1 < a, b < n and a, b are products 
of primes. 

To show uniqueness, suppose that n = p\ . . .p r = q\ . . . q s where the p^s are 
qj's are prime. Then pi\(qi ... q s ), so Lemma 1.6 (with an induction argument) 
shows that pi\qj for some j. Since qj is prime, we must have p\ = qj. Now 
cancel a factor and repeat the argument. □ 

Remark. Given a, b G N, we may write 

where the pi's are distinct primes and a^, /3j G N U {0}. Then 

(a,b) =pTp1 2 ■ ■■pl n , 

where % = min(a i , 

Theorem 1.8 (Euclid). There are infinitely many primes. 

Proof. For a contradiction, assume {p\,P2, ■ ■ ■ ,Pn} is a complete list of primes. 
Consider N := 1 + p\P2 ■ ■ - Pn € N. Then N > 2 and so either N is prime 
or it has a prime factor. Thus there exists a prime p dividing N. However, 
every prime is supposedly one of pi, . . . ,p n , whence p = pi for some i. Then 
p = Pi\(px . . .p n ), whence p\(N — 1). However we also have p\N, so p\l. ^ □ 

2 Linear Congruences 

Definition. Suppose that a, b e Z and neN. We write a = b mod n (or a = b 
(mod n)), and say a is congruent to b mod n, if and only if n\(a — b). 

Example. 4 = 30 mod 13 since 13j(4 — 30) = -26 

Lemma 2.1. Let neN. Then: 

(i) being congruent mod n is an equivalence relation. 

(ii) ifa = a mod n and b = (i mod n then a+b = a+ [3 mod n, a— b = a — [3 
mod n and ab = a/3 mod n. Moreover, if f(x) G Z[x] t/ien f(a) = f(a) 
mod n. 

Proof. (i) Exercise. 

(ii) We will check that ab = a(i mod n; the rest is an exercise. Since a = a 
mod n, we have n\(a — a) and so a = a + ns for some s G Z. Similarly, = 
/3 + raf for some t G Z. Hence a& = (a + n,s)(/3 + nt) = a(3 + n(s/3 + ta + nst) 
and so n|(a6 — a/3). Therefore a& = a/3 mod n, as required. 

□ 
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Example. Let neN and write n in decimal notation 

k 



a l x 10 l where < a* < 9 and a,eN for all i. 



i=0 

Define f(x) by 

fc 

f{x) = ^2a,x\ 

i=0 

Then, since 10 = —1 mod 11, we see that n = /(10) = /(— 1) mod 11, whence 
ll|n ^=> ll|/(-l) ll\(a - ax + a 2 - a 3 + . . . + (-l) k a k ). This gives an 
easy way to test integers for divisibility by 11. 

Definition. Given n G N, we write [a] n for the equivalence class of a, so that 
[o]n = {b £2 : a = b mod n}. 

Remark. We have Z = Ua=o[ a ]« (disjoint equivalence classes). 

Definition. We write Z/nZ = {[a] n : < a < n — 1} (so that # (Z/nZ) = n). 
We set [a] n + [b) n := [a + b] n and [a]„[6]„ :— [ab] n (we must check that these are 
well-defined). 

Lemma 2.2. The set Z/nZ 7 with the above operations, is a commutative ring 
with = [0]„ and 1 = [1]„. 

Proof. Given in Part A Algebra. □ 
Definition. We write 

(Z/nZ) x = {[a] n G Z/nZ : 3[b] n G Z/nZ such that [a] n [b] n = [1]„}. 
This is the set of units of Z/nZ, and is a group under multiplication. 
Lemma 2.3. [a] n G (Z/nZ) x <=> (a,n) = 1. 
Proof. 

[a] n G (Z/nZ) x <^=> 3[b] n G (Z/nZ) such that [a] n [b] n = [1]„ 
36 G Z such that [a6]„ = [1]„ 
3b G Z such that a& = 1 mod n 
<t=^ 3b G Z such that n|(a6 — 1) 

3b, t G Z such that a6 — 1 = nt 
(a,n) = 1, by Lemma 1.6. 



□ 



Example. ( T ^) X = {[1] 12 , [5]i 2 , [7] 12 , [11] 12 }. 
Lemma 2.4. Lei n G N and a,b G Z. 
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(i) The congruence ax = b mod n has a solution x £ Z if and only if (a, n)\b. 

(ii) If (a, n)\b then #{[x]„ : ax = b mod n} = (a, n). 

Proof. (i) There exists x € Z such that ax = b mod n if and only if there 
exist x, y £ Z such that ax — b ~ ny ii and only if (a, n)|6, by Lemma 1.6. 

(ii) Let (a,n) = h with ft|6. By part (i), as — b = nyo for some xo,yo- Then 

ax — b = ny <=> ax — ny = b = ax — ny 

a(x - x ) = n(y - y ) 

a n 
<^=> ^(x-x ) = -{y-yo). 

But (|, = 1 by Lemma 1.5, whence | \(y — y ) and f |(x - x ). Then if 
y — yo = ft say, we have x — x = ^t, so that 

{x : ax = b mod n} = {x = Xq + — t : t £ Z}. 

Thus we get distinct classes [x]„ for < t < ft, and hence 
#{[x]„ : ax = b mod n} = ft = (n, a). 

□ 

Example. Find the solutions of lOOx = 26 mod 86. We have lOOx = 26 
mod 86 <^=> 86|(100x - 26) lOOx - 26 = 86y' <^=> 50x + 43y = 13. First 
solve 50a + 436 = 1 using the Euclidean Algorithm: 

50 = 43 x 1 + 7 
43 = 7x6 + 1 



and so 



43 - 7 x 6 

43 - (50 - 43 x 1) x 6 
7 x 43 - 6 x 50. 



We therefore take a = — 6 and b = 7. We then set x = 13a, y = —136 so that 
50x + 43y = 13. From this we can see that x = — 6 x 13 = —78 = 8 mod 86 is 
a solution, and that the general solution is x + \t = 8 + t^i = 8 + 43t. 

Theorem 2.5 (Chinese Remainder Theorem (Sun-Tze, 3rd-4th century A.D.)). 
Let m, ri2, . . . , n t £ N with (rij, n^) = 1 whenever i ^ j, (i.e. the ni are u co-prime 
in pairs") and let a\, a%, . . . , a t £ Z be given. Then there exists x £ Z such that 
x = <n mod Hi for all i = 1, . . . , t. Moreover, if x' is any other solution, then 
x' = x mod N, where N := n\n 2 . . . n t . 
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Proof. Define Ni :— N/rii. Then (Ni,rii) = 1, since n» is coprime to all the 
factors of Ni. Hence by Lemma 2.4 (or Lemma 2.3), there exists Xi <G Z such 
that A^ar* = 1 mod m. Define x = cuNxi. Thus x = akN^Xk mod 

since nk\N for all i^k. Therefore x = ak(N^Xk) = at mod for all fc. 

Also, if x' = ak mod for all fc, then x' = x mod nk for all fc. Thus 
nk\(x' — x) for all fc, and hence nin 2 . . .n t \(x' — x), since the rn are pairwise 
coprime. This yields x 1 = x mod AT. □ 

Remark. We have used that (n^, n^) = 1 whenever i ^ j twice in the above proof. 
This hypothesis is necessary because, for example, the pair of congruences x = 2 
mod 12, x = 4 mod 20 has no solution. 

Example. Solve: 

a; = 2 mod 3, 

.x = 3 mod 5, 

x = 2 mod 7. 

Following the proof, we put JV:=3x5x7 = 105, Ni 
and 

35xi = 1 mod 3 =^> take X\ 
2lx 2 = 1 mod 5 take x 2 

15x 3 = 1 mod 7 =>■ take £3 

Therefore 

x = 2N 1 x 1 + 3N 2 x 2 + 2N 3 x 3 = (2 x 35 x 2) + (3 x 21 x 1) + (2 x 15 x 1) = 233, 
and the smallest positive integer solution is 23 = 233 mod 105 . 
Corollary 2.6. If m, n € N are coprime then 

(1) 1/mriL = Z/mZ x Z/nZ, 

(ii) (Z/mnZ) x = (Z/mZ) x x (Z/nZ) x . 

Proof. This result, sometimes also referred to as the Chinese Remainder Theo- 
rem, is from Part A Algebra. However, we give a sketch proof of part (i). 
The isomorphism is given explicitly by 

4> : Z/mnZ — ► Z/mZ x Z/nZ, a + mnZ (a + mZ, a + nZ). 

It is straightforward to check that this map is a well-defined homomorphism. It 
is onto by Theorem 2.5, and hence is injective by a counting argument. □ 



= 35, N 2 = 21, AT 3 = 15 

= 2, 

= 1, 
= 1. 
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3 Polynomial Congruences 

Theorem 3.1 (Wilson's Theorem, 1770). An integer p > 2 is prime if and only 
if(p— 1)! = — 1 mod p. 

Example. For p = 5, we have (5 — 1)! = 4! = 24 = — 1 mod 5; but for p = 6, we 
have (6 - 1)! = 5! = 120 = mod 6. 

Proof. (<=) If n is composite then there exists d dividing n with 1 < d < n. 
Therefore d\(n - 1)! and d\n. So if (n - 1)! = -1 mod n then n\((n - 1)! + 1) 
and so d\((n - 1)! + 1). Hence d\l = ((n - 1)! + 1) - (n - 1)!. * 

(=>) One can easily check the cases p = 2,3. Now assume p is prime with 
p > 3. Then by Lemma 2.3, 

(Z/pZ) x = {[a] p e Z/pZ : (o,p) = 1} = {[1] P , [2] p , . . . , [p - l] p }. 

Now look at those [i] p such that [i] p — [l] p . For these values we have i 2 = 1 
mod p p|(i 2 — 1) => p\(i — l)(i + 1), and so [i] p = [l] p or [— l] p . Therefore, if 
we exclude these two cases, the remaining set [2] p , [3] p , . . . , [p — 2] p can be split 
into inverse pairs. It follows that 2x3x4x ... x (p-2) e 1 mod p, and hence 
that (p - 1)! = -1 mod p. □ 

Theorem 3.2 (Fermat's Little Theorem, 1640). Let p be a prime and let x e Z 
such that p\x. Then x v ~ x = 1 mod p. 

Proof. Let G be the group (Z/pZ) x , so that #G = p — 1. Apply Lagrange's 
Theorem from group theory (see Mods) , which implies that if G is a finite group 
and g € G then g #G = iq. In our case we take g = x + pZ, which gives 

(x+pZ)^ 1 = 1+pZ => x p - 1 +pZ = l+pZ x^eeI mod p. 

□ 

Alternative proof. We shall show that x p = a; mod p for all x e N (then it is 
true for all ieZ). This suffices because if p \ x then 

x p = x mod p =>■ p|(a; p — x) p|a;(a; p_1 — 1) p|(x p_1 — 1), 

(we have used that p is prime and p \ x in the last step) . 

We proceed by induction on x. The case x = 1 is trivial. Suppose that 
x p = x mod p for some xeN. By the binomial theorem we have 

(x + l) p = x p + (^j xP ~ 1 + (^) xP ~ 1 + ---+ { J) P _^j x + 1 - 

However, ( p ) = k ,^[ k y is divisible bypifl<fc<p— 1 since p\p\ but p \ kl 
and p \ (p — k)\. Therefore 

(x + l) p = x p + 1 ee x + 1 mod p, 

where the last equality uses the induction hypothesis. □ 
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Remark. The converse to Fermat's Little Theorem is not always true. For 
example, 2 340 = 1 mod 341, but 341 = 11 x 31. Nonetheless, Fermat's Little 
Theorem provides a very useful necessary condition for primality: If n is odd, 
but 2 n_1 ^ 1 mod n, then n cannot be prime. In fact, if 2™ _1 = 1 mod n then 
n is probably (but not necessarily) prime. Note that there are methods that can 
compute 2™ _1 mod n very rapidly. 

Definition. For n € N we define Euler's totient function, or the (/(-function, by 

<f>{n) := #{a e N : a < n, (a, n) = 1} = # (Z/nZ) x . 

Theorem 3.3 (Euler's Theorem, 1760). Let n G N and x e Z with {n,x) = 1. 
TTien a;^™) = 1 mod n. 

Proof. Use Lagrange's Theorem from group theory exactly as before. □ 

Remark. Note that <j>(p) = p— 1 for p prime, so that Euler's Theorem generalises 
Format's Little Theorem. 

Lemma 3.4. Let neE 

(i) If n — p e with p prime, then <j>(n) — p e — p e ~ 1 . 
(ii) If n — pi 1 . . .p% T with pi distinct primes, then 



i) = m i )---m r ) = nf[(i--). 

»=i v 



Proof. (i) If n = p e then for all to, either (n, to) = 1 or p|m. Thus 
</>(n) = #{to e N : to < p e ,p\m} 

= #{m eN:m</} - #{to e N : to < p e ,p\m} 



(ii) Corollary 2.6 used repeatedly yields 



z\ x / z \ x / z \ x / z " 



Hence we have 

«»> = # (^) X 



WMp?)...^) 
(p^-p^- 1 )...(p^-p^- 1 ) 

\ PlJ \ Pr 

nflfl- 1 
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□ 

Lemma 3.5. For any n G N we have J2d\n 0( C O = n - 

Proof. We classify integers a < n according to their highest common factor with 
n. Thus 

{a e N : a < n} = [j{a e N : a < n, (n, a) = c?} (disjoint union). 

d\n 

Hence n = J2d\n &d where Sd ■= #{& € N : a < n, (n, a) = d}. 

If d\n then, by Lemma 1.5, we have (n, a) = d •<=>• a = da' with a') = 1. 
Moreover a < n a' < ^. It follows that 

5 d = #{a'eN,a'< %(%a') = l}, 

and hence = 0(f)- We deduce that n = X)d|n^(5)- However when d runs 
over the divisors of n, so does e = n/d, so that n = X) e |n 0( e )- '-' 

Example. For n = 12 we have 

(f)(1) + 0(2) + 0(3) + 0(4) + 0(6) + 0(12) = 1 + 1 + 2 + 2 + 2 + 4 = 12. 

Theorem 3.6 (Lagrange's polynomial congruence theorem, 1768). Let f{x) = 
ao + a\x . . . + adX d G 7L\x\ and let p be a prime with p \ ad- Then f(x) = 
mod p has at most d solutions mod p. 

Remark. More generally, any polynomial equation of degree d over a field has 
at most d solutions (note that Z/pZ = F p is a field). 

Proof. The proof is by induction on d. If x is a root of f(x) = mod p, we 
may write f(x) = (x — xo)q(x) + c by the Division Algorithm applied to the 
ring of polynomials. It follows that f(x^) = (x -~ xo)q(xo) + c = mod p, 
whence c = mod p. From this we see that f(x) = (x — x )q(x) mod p. 
Now the congruence q(x) = mod p has at most d — 1 roots, by the inductive 
hypothesis. Call these roots x±, xi, . . . , x r with r < d — 1. Now, whenever 
f(x*) = mod p we have (x* — x n )q(x*) = mod p. Therefore p\(x* — xq) or 
p\q(x*), and so x* = x mod p or x* = X\, x 2 , ■ ■ ■ , or x r mod p. Hence there 
are at most d roots of the equation f(x) = mod p. □ 

Example. Note that x 2 — 1 = mod 8 has 4 roots, namely 1,3,5,7 mod 8. 
This is not a counterexample to Theorem 3.6, however, because 8 is not prime 
(and Z/8Z is not a field). 
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4 Primitive Roots 



We investigate the structure of the group (Z/nZ) x . 

Definition. Let (a, n) = 1 with a, n € N. Then the least d € N such that 
a d = 1 mod n is called the order of a mod n, and written ord„(a). This is the 
order of [a] n in (Z/nZ) x . 

Remark. Lagrange's Theorem in group theory tells us that the order of an 
element divides the order of the group; so ord„(d) divides cf){n) = #(Z/nZ) x . 

Definition. When n € N, we say that a e Z is a primitive root of n if and 
only if (a, n) = 1 and ord„(a) = 4>{n). This is equivalent to requiring a to be a 
generator for (Z/nZ) x , which must therefore be cyclic. 

Example. Let n = 5 and abbreviate [x] n = [x]$ to [a;]. Then we have 

[2]° = [1], [2? = [2], [2] 2 = [4], [2] 3 = [8] = [3], [2] 4 = [16] = [1]. 

Therefore ord 5 (2) = 4 = <p(5) and so 2 is a primitive root of 5. 
Remark. For some values of n there are no primitive roots. For example, ev- 
ery non-trivial element of (Z/8Z) X = {[l]s, [3] 8, [5]s, [7]s} has order 2, and so 
(Z/8Z) X is not cyclic. 

Lemma 4.1. Let neE 

(%) ordn(a) = t => ord„(a u ) = 

(ii) If r is a primitive root of n then r u is too, if and only if (u, 4>{n)) = 1 . 

Proof. (i) Let v = (t,u), and t = vt', u — vu' so that (t',u r ) = 1. We need to 
show that ord„(a") = t' . Note that 

(a u Y' = a ut ' = a™'*' = a tu ' = (a*)"' = l u ' = 1 mod n. 

We now need to show that t' is minimal. Suppose that (a u ) s = 1 mod n. 
Then, since t is the order of a, we must have that t\us. This implies 
that t'\u's, and hence t'\s, because t' and u' are coprime. Thus t' < s as 
required. 

(ii) This follows from part (i), since r^^s = < /'( ra ) ( u ,4>( n )) = 1 • 

□ 

Lemma 4.2. Lei p be prime and let d divide p — 1. T/ien i/iere are exactly 
<p(d) elements a mod p smc/i i/iai ord p (a) = d. In particular, there are <j)(p— 1) 
primitive roots modulo p. Hence (Z/pZ) x is always cyclic. 

Proof. Let d|(p — 1) and write tp(d) = #{a mod p : (a,p) = l,ord p (a) = d}. 
We aim to show that tp(d) = <fi(d). By Lemma 3.5, J2d\( P -i) 'PW = P — 1; and 
moreover, since ord p (a)|(p — 1), we must have J2d\( P -i) ^(^) = P — 1 (because 
there are p — 1 possible a mod p with (a,p) = 1). If we can show that ?p(d) < 
<p(d) for all d\(p~ 1) then ^(d) = </>(d) for all such d. (Otherwise, if V'(a'o) < (f>(d) 
for some d , then J2d\(p-i) ^(^) < Sd|(p-i) < /'( c ')- We examine two cases: 
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(i) i/>(d) = 0. Then 0-(d) < 0(d). 

(ii) 0^(d) > 1. Then there exists a such that (a,p) = 1 and ord p (a) = d. By 
Lemma 4.1, ord p (a l )|d for all z. Moreover, a , a 1 , ... , a d ~ 1 are all incongru- 
ent mod p since ord p (a) = d. Since ord p (a*)|d, we have (a l ) d = 1 mod p, 
so that the congruence x d — 1 = mod p has at least d distinct roots mod 
p. By Theorem 3.6 (Lagrange's polynomial congruence theorem), there 
are at most d roots. Thus every root must be of the form a 1 mod p. 

Now suppose that ord p (6) = d. Then b d = 1 mod p so that 6 is a root 
of the polynomial x d — 1 = mod p. Thus b = a 1 mod p for some i, 
which we may assume is in the range < i < d. Now we know that 
ord p (&) = ord p (a*) = jjhr by Lemma 4.1. Hence ord p (o) = d (d,i) = 1, 
so that 

0-(d) = #K : < i < d, (i, d) = 1} = 0(d). 

Therefore V'(d) < 0(d) as required. □ 

Theorem 4.3. (Z/nZ) x is cj/dic n /ias a primitive root n = 1, 2, 4,p e , 2p e 
w/iere e e N and p is an odd prime. 

Proof. Not examinable (but statement is examinable). See Baker, A concise 
introduction to the theory of numbers, §3.6, for example. □ 

Lemma 4.4. Let n e N and suppose that n has a primitive root. Let a E Z 
with (a,n) = 1 and let k € N. T/ien 

3ieZ sucfc tfcaf x fc = a mod n a <A(")/(0(«),fc) = 1 mod n 

Proof. Let j be a primitive root of n. Then g 1 = g J mod n <==^> 0(n)|(i — j). 
For any ieZ with (x, n) = 1, we define the discrete logarithm of x to base g 
modulo n by 

g l{x) = x mod n and Z(x) e {0, 1, . . . , 0(ra) - 1}. 

Note that, since (Z/pZ) x is cyclic, there must be exactly one such value l(x) 
for each x. Note too that l(xy) = l(x) + l(y) mod 0(n). 
Now, 

3x such that x k = a mod n 3x such that (g l{ - x) ) k = g l{a) mod n 

3x such that 0(n)|(fcZ(x) — /(a)) 
3x such that fcZ(x) = 1(a) mod 0(n) 
3z such that fcz = 1(a) mod 0(n) 
(fc, <j>(n))\l(a) by Lemma 2.4 

<j)(n)l{a) 

^(»)*(")/(*(").*) = l m od n 

<^=> *(n)/(*(").fc) = 1 mod „. 

□ 
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Remark. Lemma 4.4 does not hold without the hypothesis that n has a primitive 
root. For example, if n — 8, k = 2, a = 3 then there exists no x e Z such that 
x 2 = 3 mod 8, yet a *(8)/(*(8),2) = 34/(4,2) = 32 = j mod 8 _ 

5 Quadratic Residues 

Definition. Let p be an odd prime, and suppose we have a e Z such that 
p { a. Then a is a Quadratic Residue of p if there exists i£Z such that x 2 = a 
mod p, and a is Quadratic Non-Residue if not. We sometimes abbreviate these 
terms to "QR" and "QNR" . 

Definition. For any a € Z, we define the Legendre Symbol to be 



+ 1, p\ a and a is a QR of p, 
— 1, p \ a and a is a QNR of p, 
0, p\a. 



Theorem 5.1 (Euler's Criterion). If p is an odd prime and a € Z iftera 

eot mod p. 



Proof. This is obvious if p|a. So suppose that p\a. Then 

a p_1 = 1 mod p 
by Fermat's Little Theorem (Theorem 3.2). Hence 

(a^) =1 mod p => p| [cl^^i -1 

=> p| (a^ + l) {a^r - lj 

==> p| ^flT 1 + 1^ or p| - 1 

p-i 

==>■ a 2 = +1 or — 1 mod p 

However, Lemma 4.4 yields 

(— ] = +1 3x e Z such that x 2 = a mod p 

P) 

Hp) 

a (*(p),2) = 1 mod p 
p-i 

a 2 =1 mod p. 

Therefore if ( | J = —1, then the only possibility is that at = — 1 mod p. □ 
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Lemma 5.2. If p is an odd prime then 

p=l mod 4, 

\ p J 1 ' \ -1, pee 3 mod 4. 

In oi/ier words, x 2 = — 1 mod p is soluble if and only if p = 1 mod 4. 

Proof. By Euler's Criterion (Theorem 5.1) we have (jjf^) = ( — l) 2 ^ mod p, 
and both sides are +1 or —1. If they were different, we would have +1 = — 1 
mod p and so p|2, which gives a contradiction as p is odd. □ 

Lemma 5.3. Let p be an odd prime and a,b € Z. 

(nj ifa = b mod p i/ien = (jj^J (periodicity); 
(Hi) (f ) = (*) (|) (multiplicativity) . 

Proof. Claims (i) and (ii) are trivial. For claim (hi), Euler's Criterion (Theorem 
5.1) gives 

^ = (a 6)(p-D/ 2 = a (P-i)/2 & ( P -i)/2 = Q g) mod p . 

But ee (j) mod p implies (<^) = (j) (j) , as in proof above. □ 

Example. Can we solve x 2 ee 13 mod 17? 

by periodicity (Lemma 5.3(h)) 

by multiplicativity (Lemma 5 .3 (iii) ) 

as (±1) 2 = 1 



13) = /-4 
17/ 1 17 



- ( — ) ( - 

17 / V 17/ \17 



17, 

= (-i)( 17 -!)/ 2 by Lemma 5.2 
= (-1) 8 = 1 

Hence the congruence is soluble! Note that this proof that a solution exists 
cannot be adapted to provide a concrete solution. It is purely an existence 
argument. 

Lemma 5.4. If p is an odd prime then there are incongruent QR's and 
incongruent QNR's. Equivalently, we have 

a 



E 

o=l 
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Proof. Let g be a primitive root of p (such a g exists by Lemma 4.2). We 
have = gtp- 1 )/ 2 = ±1 mod p by Euler's Criterion (Theorem 5.1). In fact, 

^(p- 1 )/ 2 = _i m od p since oid p (g) = p—l. We use the discrete logarithm 1(a) 
to base g as defined in the proof of Lemma 4.4. Then 

Hence = (— l)'( a ) and so (j^j = +1 if and only if 1(a) is even. However, 
1(a) runs over 0, 1, 2, ... ,p — 2 of which are even and are odd. □ 

Remark. Note that if p is an odd prime and g is a primitive root mod p, then 

{quadratic residues mod p} = {g° 7 g 2 , g*, ■ ■ ■ , g p ~ 3 } 

= { [lX,[2\,[3X,...,[(^)\}. 

Definition. Let a £ Z and neff. We write A(a, n) for the unique integer such 
that a = A(a, n) mod n and < X(a, n) < n. (This is not a standard notation, 
and is intended merely for temporary use in our discussion of quadratic residues.) 

Theorem 5.5 (Gauss's Lemma). Let p be an odd prime and let a £ Z with 
a] p. Then 



(-1) A where A := #{j e N : 1 < j < ^,X(aj,p) > §}. 



Example. Let p = 13 and a = 5. 

If j = 1 then X(aj,p) = A(5, 13) = 5 < 13/2. 

If j = 2 then X(aj,p) = A(10, 13) = 10 > 13/2. 

If j = 3 then X(aj,p) = A(15, 13) = 2 < 13/2. 

If j = 4 then X(aj,p) = A(20, 13) = 7 > 13/2. 

If j = 5 then X(aj,p) = A(25, 13) = 12 > 13/2. 

If j = 6 then X(aj,p) = A(30, 13) = 4 < 13/2. 

Hence A = #{2,4,5} = 3 and so (^) = (-1) 3 = -1. 

Proof. Let S a ■= {aj : 1 < j < ^p 1 } and define 

{n, ...,r m } = {X(aj,p) : aj £ S a , < X(aj,p) < §}, 

{si,.. . ,s n } = {X(aj,p) : aj £ S a ,% < X(aj,p) < p}, 

so that n = A. Note that X(aj,p) ^ | since | ^ Z and that X(aj,p) # 0, since 
p { a and p { j. Also note that if ji 7^ 72 then A(aji,p) 7^ X(aj 2 ,p) since 

A(aji,p) = X(aj 2 ,p) => aji = aj 2 mod p 

a(ji - 32) = mod p 
=> ji — 32 = mod p (since p { a) . 
=> ji = 32 mod p 
=> ji = .h (since < ji, j 2 < p). 
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Hence m + n = #5 a = We claim that 

{n,.. . ,r m , (p- si),.. . , (p- s„)} = {1,2,. . . , 2^}. 

Clearly r*, (p — Sj) e {1, 2, ... , and there are elements r^, (p — Sj), so it 
suffices to show that they are all different. We have already shown that r* 7^ rj 
and Si 7^ Sj for i ^ j. To show that r» 7^ p — Sj we argue by contradiction. If 
rj + Sj = p, let ?*i = X(aji,p) and Sj = X(aj 2 ,p). Then 

+ Sj = p = A(aji,p) + X(aj 2 ,p) = aj\ + aj 2 = a(ji + j 2 ) mod p. 

Hence a(ji + j 2 ) = mod p. However p { a and 2 < j\ + j 2 < p — 1 so that 
P t (ii + h) ^- Therefore 7^ p — Sj, which proves the claim. 
Finally, 

rir 2 --T m (p-«i)-"(p-s n ) = lx2x...x^ = (ti)! 

= rir 2 ---r m SiS2---s„(-l) n mod p. 

On the other hand, by the definition of rj, Sj, 

p-i p-i 
2 2 ^ 

rir 2 • ■ -rmSiS-2 s n = X(aj,p) = JJ(oj) = ( £ y 1 )! mod p, 
and hence 

(2=1)1 = (_l)n a ^ (2=1), modp . 

Now, since p{ ( 2 f^)!, we see that 1 = (-l^a^r 1 mod p. Thus = (-1)" 
mod p and so = (—1)™ mod p by Eulcr's Criterion (Theorem 5.1). It 

therefore follows that = (-1)™ = (-1) A as required. □ 

Corollary 5.6. If p is an odd prime then 

(2\ _ f +1, p = ±1 mod 8, 
l^pj _ \ -1, p = ±3 mod 8. 

Moreover, 

(p) = (-l) (p2 ~ 1)/8 - 
Proof. We shall apply Gauss's Lemma (Theorem 5.5) for a = 2, so that 

(£) = M) A where A = #{1 < 3 < (E=i) : A(2j,p) > §}. 

Note that 2j < \ if j < | and § < 2j < p if f < j < §. It follows that 
A = #{j e N : I < j < §}. We will now use the following standard notation: 
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Definition. For any x £ K we set [^J := max{n e Z : n < a;}. For example, 
L3J = 3, [tt\ = 3 and [-ir\ = -4. 



p-i 

2 



L5J- 



With this notation we have 

#{i : | < 7 < < H^L} < H} 

Now we look at cases: 

=> ^ = 4fc, [I J - 2k =► A = 2fc, 
* 2=1 = 4k + 1, [f J = 2A; =► A = 2fc + 1, 
=» 2_I = 4fc + 2, LfJ =2fc+l =► A = 2fc + 1, 
E=l =4fc + 3, LfJ =2fc+l => A = 2fc + 2. 

Hence (— 1) A = +1 p = 8k + 1 or 8k + 7. This proves the first assertion in 
the corollary. 

To handle the second assertion we note that if p = k + 8n then 
- 2 1 k 2 + 16fcn + 64n 2 - 1 



(i) p = 8k + 1 

(ii) p = 8k + 3 
(hi) p = 8fc + 5 
(iv) p = 8k + 7 



P 



k 2 - 1 k 2 — 1 

'- ! * ' mod 2. 



+ 2(kn + An 2 ) 



By checking the cases k = ±1, ±3 we deduce that 



mod 2, p = ±1 mod 8, 
mod 2, p = ±3 mod 8, 



□ 



and the result follows. 
Exercise. Use Theorem 5.5 to find (^^r^j an d hence recover Lemma 5.2. 
Lemma 5.7. Let p be an odd prime and let a e Z with a odd and p\ a. Then 



^ = (_i)E£- 1)/2 L^/ P J. 



Proof. Refer to the proof of Gauss's Lemma (Theorem 5.5) and recall that 
X(aj,p) = aj mod p, with < X(aj,p) < p. Here X(aj,p) = aj — pk where 

< aj — pk < p. It follows that k < ^ < k + 1, and hence that k = 



We therefore deduce that \{aj,p) = aj — p 
have 

m n (p— 1)/2 

Y, r i+Y; Si= E x ( a i>p)= 12 

i—l i—1 J — 1 J = l 

Hence, since a and p are odd, we have 



Using this expression we now 

(p-i)/2 



aj -p 



P 



(p-l)/2 (p-l)/2 

E i- E 



P 



E ri + E Si mod 2 , (*)• 



i=l 
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Recall from the proof of Gauss's Lemma (Theorem 5.5) that 

{n,.. . ,r m , (p- si),.. . , (p- s„)} = {1,2,. . . , ^}. 

Thus 

m n (p-l)/2 

^ + np + ^ Sj = ^ j mod 2, 

2—1 i— 1 j — 1 



and hence 



m n (p-l)/2 

r 4 + s « = n + E j mod 2 - 

i—1 i—1 j — 1 



Comparing this with (*), we see that 

(P-1V2 



mod 2, 



and the result follows from Gauss's Lemma (Theorem 5.5). □ 

Theorem 5.8 (The Law of Quadratic Reciprocity (Gauss, 1796)). If p and q 

are distinct odd primes, then 



(|). (!) (_!,(*)(*)_ 




i/p = 1 mod 4 or g = 1 mod 4, 
i/p = q = 3 mod 4. 



Remark. Gauss was particularly proud of this result, which he first proved at 
the age of 17. Indeed, he subsequently gave no fewer than seven further proofs. 
The theorem is remarkable, in that it connects the solubility of a congruence 
modulo p to the solubility of a second congruence to the seemingly unrelated 
modulus q. 

One might ask whether there is an analogous theory for cubic residues, for 
example. One can indeed construct such a theory, but it naturally takes place 
in the ring Z[w] (where w is a primitive cube root of unity) rather than in Z. 

Example. What is (§§)? In other words, can we solve x 2 = 29 mod 53? Use 
LQR (the Law of Quadratic Reciprocity): 



29\ /53 
53/ ~ V 29 



24 
29 

2x2x2x3 



29 
2 \ 3 / 3 



(by LQR since 29 = 1 mod 4) 
(by periodicity since 53 = 24 mod 29) 



= I 29 J I 29' (by multiplicativity). 
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We now use LQR and Corollary 5.6 repeatedly: 

J-] = -1 (by Corollary 5.6 since 29 = 3 mod 8) 



29 

— ) (by LQR since 29 = -3 mod 4) 



(by periodicity since 29 = 2 mod 3) 
(by Corollary 5.6 since 3 = 3 mod 8). 



Thus (||) = (-1) 4 = +1, and hence x 2 = 29 mod 53 is soluble. 

Proof of Theorem 5. 8. To prove the Law of Quadratic Reciprocity it suffices, 
by Lemma 5.7, to show that 



(p-1)/2 

E 

k=l 



qk 
P 



(g-i)/2 

E 



pk 

. q 



We will count the points in 

R := {(x,y) eNxi:0<Kf,0<j/<i} 
in two different ways: 

(i) #R = : < x < f } x #{y : < y < §} = 2~1 x 2§i (since p and g 
are odd). 

(ii) If a point (x, y) were on the line from (0, 0) to (|, f ) we would have y = 
y and hence = qx. However, then we would have p\qx, which is 
impossible, since p \ q and p\x (recall that < x < p/2). Thus there are 
no points (x,y) of R on the line from (0,0) to (§, |). 

How many points (x,y) of i? are there below (or on) the diagonal? For 



each value of x with 1 < x < 



p-i 



the pairs (x, y) below the diagonal must 



satisfy 1 < y < ^x. However, there are [^J such values of y. It follows 
that the total number of points below (or on) the line y — qx /p is 



Similarly, there are 



(P-1V2 

E 

*;=i 

(?-l)/2 

E 

k=l 



qk 
P _ 

pk 
_ 9 . 



points above (or on) the line. It follows that 
#R 



(P"l)/2 

E 



fc=i 



(9-l)/2 

+ E 



fc=i 



q 
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Comparing the two expressions for #i? gives the result. 



□ 



Theorem 5.9. There are infinitely many primes p such that p = — 1 mod 8. 

Proof. Suppose for a contradiction that there are only finitely many such primes, 
Pi, . . . ,p n - Define N :— 8(pi . . -p n ) 2 — 1- Since N is odd and greater than f it 
must have at least one odd prime factor p, say. Then (4pi . . .p n ) 2 = 2 mod p 

and so (j^j = +1. Thus p = ±1 mod 8, by Corollary 5.6. However, if p = — 1 

mod 8 then p = Pi for some i. This is impossible, since N = — 1 mod pi 1 while 
p\N. Thus if p\N then p = 1 mod 8. However, any product of primes of the 
form 1 mod 8 must itself be 1 mod 8. This implies that N = 1 mod 8, which 
is impossible, since TV = 8(pi . . .p n ) 2 — 1. JSS □ 

6 Factorisation 

The factorisation of positive integers into their prime divisors is an ancient 
problem, and remains a difficult one even today. The modern use of coding 
systems based on the fact that factorisation is difficult make the issue one of 
considerable current interest. At the moment such systems use number of at 
least 200 decimal digits, and it is therefore numbers of this size that one would 
like to factor. Note that the problem of factorisation is much harder than 
primality testing. 

Method 6.1 (Trial Division). Let n <G N, n > 2, then either n is prime or 
there exists a prime p dividing n such that p < ^fn. For a proof, assume n is 
composite, with n = ab and a, b > 2. Without loss of generality, assume a < b. 
Then a 2 < ab = n so that a < y/n. Thus if p is any prime factor of a we have 
p < s/n. 

To use this method, test whether 2|n, 3|n, 5|n, ... for each prime up to \fn. 
This is the best method for small n and is also a good method for a "random" 
n. However it may take up to \Jn tests to prove or disprove primality of n. 

Method 6.2 (Fermat's Method). Let n E N and let m be the least integer such 
that m > y/n. Examine m 2 — n, (m + 1 ) 2 — n, . . . looking for square values. If 
(m + j) 2 — n = y 2 say, then 

n = (m + j) 2 -y 2 = (m + j + + j - y), 

which gives a factorisation of n. 

Note that if n = ab with a, b odd and a < b then 

(a + b\ 2 (a-b\ 2 a±b 
n=[~) -[—) with — €Z. 

So this process does eventually find a factor because m + j = , y = <L ^ L will 
work. Unfortunately, if n is prime, we have to check until m + j = n ^ L . 
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Example. Take n = 6077. Then 77 < V6077 < 78 so we start to look at m = 78, 
finding: 

78 2 - 6077 = 7, 
79 2 - 6077 = 164, 
80 2 - 6077 = 323, 
81 2 - 6077 = 484 = 22 2 . 

Therefore 6077 = 81 2 - 22 2 = 103 x 59. 

Remark. Fermat's method works best for n — ab where a and b are close to 
each other. 

Method 6.3 (Pollard's p — 1 method). This method is far more sophisticated. 
Let n £ N and suppose that p\n where (p — l)\k\ for some "small" k £ N. By 
Fermat's Little Theorem we have 2 P_1 = 1 mod p; and so if (p — l)|fc! then 
2 k[ = 1 mod p. Thus p|(2 fe! - 1), and if p\n we get that p\(2 k - - l,n). 

We can now describe Pollard's algorithm. We compute = 2 k ' mod n for 
k = 1, 2, . . ., with < afc < n. (We shall see below how to do this efficiently.) 



Then (2 kl - l,n) 



(a-k 



l,n) which we can compute easily using Euclid's 



Algorithm. If the answer is between 1 and n then it gives a factor of n. If 
n has a prime factor p with (p — l)\k\, we will have p\{au — l,n), so that the 
highest common factor will not merely be 1. (There is a danger though that 
the highest common factor will turn out to be n, in which case the method fails 
to find a factor of n. It transpires that the method breaks down in this way 
rather infrequently However, in contrast to the first two approaches, Pollard's 
method does not always work.) 

One can expect that this method is most successful when p — 1 has only 
small prime factors. For example, p = 2269 would be discovered using k = 9 
since 

p-l = 2268 = 2 2 3 4 7|9! 
How can we find easily (and quickly)? We have a\ = 2 and = a k ,_ 1 
mod n, since a k _ 1 = (2 { - k ^ [ ) k = 2 (k ~ 1 '>- k = 2 fe! mod n. This process requires 
fc— 1 multiplications to find otfc, given ak-i- Hence, by induction, we can compute 
ak with 1 + 2 + ... + {k — 1) = k(k — l)/2 multiplications. This is far better 
than the naive process for computing 2 fe! mod n which would require fc! — 1 
multiplications! 

Example. Let n = 5419 and find a factor by Pollard's p — 1 method: 



fc 


ak mod 5917 


K,5917) 


1 


2 


1 


2 


2 2 =4 


1 = (3,5917) 


3 


4 3 = 64 


1 = (63,5917) 


4 


64 4 = 2521 


1 = (2520,5917) 


5 


2521 5 = 1648 


61 = (1647,5917) 



Hence n 
factors. 



5917 = 61 x 97. Note that 61 - 1 = 2 2 x 3 x 5 has only small prime 
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7 Cryptography 



Definition. In cryptography, the study of codes and ciphers, the Plaintext is 
the message to be encrypted, easily readable and completely insecure (e.g. a 
credit-card number, name and address), the Ciphertext is the message written 
in code (i.e. some horrible unreadable mess of numbers, symbols and letters). 
In order to move from the Plaintext to the Ciphertext, we must encrypt the 
Plaintext and to return to the Plaintext (in order to read the message once it 
has been received) we must decrypt it. 

Many coding systems begin by translating a message written with ordinary 
letters into one involving numbers, using a standard system which is assumed 
to be well known to the sender, to the recipient, and to the enemy! One might 
use the standard ASCII codes, for example. We shall use the convention that 
we translate A to 00, B to 01, C to 02,. . . , and Z to 25. We will ignore all 
punctuation for simplicity. Thus CODE would be written in the numerical 
form 03140405, for example. 

Method 7.1. A very basic cipher, dating from the times of the Romans, and 
used by Julius Caesar, is called the Caesar Cipher. To use this cipher, first 
pick a numerical "key" 1 < k < 25 and translate each letter of the Plaintext to 
an integer from 00 to 25 as above. For each such integer Pi find d = Pi + k 
mod 26 in the same range < Cj < 25, and convert the Cj back into letters. 
One then sends the new string as the Ciphertext. In order to decrypt this code, 
one must repeat the algorithm but for each d in the Ciphertext, one computes 
P l = C t -k mod 26. 

Example. Encrypt the string "TOP SECRET" using Caesar Shift with k = 11: 





T 


O 


P 


S 


E 


C 


R 


E 


T 


p 


19 


14 


15 


18 


04 


02 


17 


04 


19 


c 


04 


25 


00 


03 


15 


13 


02 


15 


04 




E 


Z 


A 


C 


P 


N 


B 


P 


E 



Clearly, sending the message "EZA CPNBPE" wouldn't mean much to an on- 
looker, but to someone who knows how to reverse the algorithm, it tells him 
"TOP SECRET". 

Remark. There are (at least) two problems with this system of encryption. 
Firstly, the sender and receiver both have to know the key number k. How can 
they agree on a value securely, other than by meeting in person? Secondly, if 
the enemy knows which type of system is being used, they can easily decrypt 
the message even without knowing k. After all, there are only 25 possible values 
to try! For 2000 years those who constructed codes focused on this second issue, 
without making any progress on the first difficulty. 

Method 7.2. A substitution cipher is a more general version of the Caesar 
Cipher. This involves some permutation of the alphabet to encrypt messages, 
e.g. A n E, B hi W, C h U, ... There are 26! possible substitution ciphers. 
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However, this can be attacked using frequency analysis and suffers from the 
"secure key exchange" problem described above. 

Method 7.3. The RSA Public Key Cryptosystem, invented by Rivest, Shamir 
and Adleman in 1977 allows messages to be sent securely without the need to 
exchange a "key" secretly. The letters RSA stand for the surnames of the three 
creators. 

To model this system, let us call the sender of the message Alice and the 
intended recipient Bob. A malicious eavesdropper will appear later by the name 
of Eve. Bob chooses two large primes p and q and an integer e such that 
(e, (p — l)(q — 1)) = 1. Typically p, q have hundreds of digits each. Bob 
announces e and n = pq (but not the factors p and q) to the public. These 
are the "Public Key". When Alice wishes to send Bob a message securely, she 
converts her message to a numerical string P using the system above and looks 
up Bob's Public Key information. She then computes C = P e mod n and 
sends C to Bob. Now, Bob knows p and q so he can decrypt the message: 

(i) Bob computes d such that de = 1 mod (p — l)(q — 1). He can do this 
using Euclid's Algorithm. 

(ii) We have C d = {P e ) d = P ed = pi+k(p-i)(g-i) = pi+fc<K«) for gomc k g Nj 
since <f>(n) = <j>(pq) = (p — l)(q — 1). By Theorem 3.3 (Euler's Theorem) 
we have P^(") = 1 mod n so that C d = P mod n. 

(iii) Thus Bob can recover Alice's message by computing C = P mod n. 
Note several important points: 

(i) The primes p and q can be obtained by choosing random numbers in a 
suitable range and using efficient primality tests. 

(ii) Actually, we need (P, n) = 1. It is possible for this to fail if p\P or q\P but 
since p, q are hundreds of digits long each, this is very unlikely indeed. 

(iii) Alice's message P may be larger than n. In this case she will have to break 
P into pieces each of which is smaller than n and send them separately. 

(iv) We need an efficient way of exponentiating mod n. One way to do this is 
as follows. Suppose we want to compute m r mod n for some m, r e Z. 
Let rk--.ro be the binary expansion of r, so each r% is either or 1. We 
can inductively compute m 2 — (to 2 ) 2 mod n for i = 1, . . . , k. Then 

to 1 " = jQ to 2 mod n. 

i:ri — l 

(v) Even with the above method, computing P e mod n and C d mod n are 
relatively slow jobs. For large P or C, even modern computers take a while 
to complete the algorithm. Thus a balance needs to be struck in choosing 
the size of n. If n is too small the code may be insecure (see below), but 
if n is too large the encryption/decryption processes may be impractically 
slow. 
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Example. Bob has published e = 13 and n = 2537 and Alice wishes to send him 
the very secret message "I love you". This produces P = 0811142104241420, 
but since she can only send messages of size below n so she has to break up her 
message into blocks 0811, 1421, 0424, 1420. She calculates C = P 13 mod 2537 
for each of them: 



(0811) 13 


= 1542 


mod 2537, 


(1421) 13 


= 0323 


mod 2537, 


(0424) 13 


= 0467 


mod 2537, 


(1420) 13 


= 2323 


mod 2537. 



So the Ciphertext is "1542032304672323" which she sends to Bob. Bob knows 
that 2537 = 43 x 59 so he finds a d such that 13d = 1 mod (42 x 58). One 
such d is 937. Bob now calculates P = C 937 mod 2537 for each block of four 
numbers: 



(1542) 937 


= 0811 


mod 2537, 


(03 23) 937 


= 1421 


mod 2537, 


(0467) 937 


= 0424 


mod 2537, 


(23 23) 937 


= 1420 


mod 2537. 



Hence Bob can read the message Alice sent him. 

Can Eve, the eavesdropper, work out the secret message? One assumes she 
can intercept the encrypted version C — hacking into the email system is child's 
play these days. Moreover she will know n and e, which Bob has made public. 
Thus the problem is to find d. The only way we know to do this is by computing 
4>(n), for which she will need to find p and q. So the only known way to decrypt 
RSA messages requires one to factorise a number n of hundreds of digits. A 
large part of modern internet security is therefore based on the difficulty of the 
factorisation problem. There is however another important question — Is there 
another (quicker) way to find d? 

We conclude by showing that finding <j)(n) is tantamount to calculating p 
and q. 

Lemma 7.4. If we know n and <j>(n) then we can easily calculate p and q. 

Proof. We have 4>(n) = (p— l)(g— 1) = n — p — q + 1 so that p + q = n — (j)(n) + 1. 
Since also pq = n, the numbers p and q are roots of 

x 2 - x(n - <j)(n) + 1) + n = 0. 

Thus 

P,q=\({n- 0(n) + 1) ± y/(n - <j>{n) + l) 2 - 4n) . 

□ 
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